Splunk Enterprise Security

Why do correlation searches in Enterprise Security not use "summariesOnly=true"?

koshyk
Super Champion

hi,

I was looking into the out-of-box Splunk correlation searches in Splunk Enterprise Security (ES) and it contains allow_old_summaries=true and not summariesOnly=true. Both give me the same set of results.

Time required to run the original Splunk Searches takes me >220 seconds, but with summariesOnly=true, it gives me exactly same output in 8 seconds. So was thinking why Splunk didn't do it in first place? Will data be missed if I use summariesOnly=true?

0 Karma
1 Solution

stanwin
Contributor

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

View solution in original post

stanwin
Contributor

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

koshyk
Super Champion

Thank you. So that means if we have accelerated data models(eg Splunk_TA_CIM), it is good enough to use "summariesonly=t"

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...